GH-1164: Fix incorrect RSTOS0 conn_state determinations

The RSTOS0 `conn_state` label is documented as "Originator sent a SYN followed by a RST, never saw SYN-ACK from responder", but was previously applied to cases where no originator SYN exists, like a single RST-only packet.
2025-10-07 09:08:20 +00:00 · 2020-09-11 16:14:41 -07:00 · 2020-09-11 16:14:41 -07:00 · a16bd47bf7
commit a16bd47bf7
parent 5945aec7e8
11 changed files with 1365 additions and 1339 deletions
--- a/scripts/base/protocols/conn/main.zeek
+++ b/scripts/base/protocols/conn/main.zeek
@ -72,8 +72,8 @@ export {
 		## * SHR: Responder sent a SYN ACK followed by a FIN, we never saw a
 		##   SYN from the originator.
 		##
-		## * OTH: No SYN seen, just midstream traffic (a "partial connection"
-		##   that was not later closed).
+		## * OTH: No SYN seen, just midstream traffic (one example of this
+		##   is a "partial connection" that was not later closed).
 		conn_state:   string          &log &optional;

 		## If the connection is originated locally, this value will be T.
@ -183,7 +183,17 @@ function conn_state(c: connection, trans: transport_proto): string
 				return "RSTR";
 			}
 		else if ( os == TCP_RESET )
-			return r_inactive ? "RSTOS0" : "RSTO";
+			{
+			if ( r_inactive )
+				{
+				if ( /\^?S[^HAFGIQ]*R.*/ == c$history )
+					return "RSTOS0";
+
+				return "OTH";
+				}
+
+			return "RSTO";
+			}
 		else if ( rs == TCP_CLOSED && os == TCP_CLOSED )
 			return "SF";
 		else if ( os == TCP_CLOSED )